{"description": "Enterprise techniques used by Sandworm Team, ATT&CK group G0034 (v4.2)", "name": "Sandworm Team (G0034)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used a tool to query Active Directory using LDAP, discovering information about usernames listed in AD.(Citation: ESET Telebots Dec 2016)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087.003", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) used malware to enumerate email settings, including usernames and passwords, from the M.E.Doc application.(Citation: ESET Telebots July 2017)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1098", "comment": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used the `sp_addlinkedsrvlogin` command in MS-SQL to create a link between a created account and other servers in the network.(Citation: Dragos Crashoverride 2018)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1583", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) used various third-party email campaign management services to deliver phishing emails.(Citation: Leonard TAG 2023)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1583.001", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has registered domain names and created URLs that are often designed to mimic or spoof legitimate websites, such as email login pages, online file sharing and storage websites, and password reset pages, while also hosting these items on legitimate, compromised network infrastructure.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Slowik Sandworm 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583.004", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has leased servers from resellers instead of leasing infrastructure directly from hosting companies to enable its operations.(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1595", "showSubtechniques": true}, {"techniqueID": "T1595.002", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has scanned network infrastructure for vulnerabilities as part of its operational planning.(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034)'s BCS-server tool connects to the designated C2 server via HTTP.(Citation: ESET Telebots Dec 2016)\tDuring the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) used [BlackEnergy](https://attack.mitre.org/software/S0089) to communicate between compromised hosts and their command-and-control servers via HTTP post requests. (Citation: Booz Allen Hamilton)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1110", "comment": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used a script to attempt RPC authentication against a number of hosts.(Citation: Dragos Crashoverride 2018)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Dragos Crashoverride 2018) During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.(Citation: Dragos Crashoverride 2018)\nDuring the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) utilized a PowerShell utility called TANKTRAP to spread and launch a wiper using Windows Group Policy.(Citation: Mandiant-Sandworm-Ukraine-2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used the `xp_cmdshell` command in MS-SQL.(Citation: Dragos Crashoverride 2018)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has created VBScripts to run an SSH server.(Citation: ESET BlackEnergy Jan 2016)(Citation: ESET Telebots Dec 2016)(Citation: ESET Telebots June 2017)(Citation: Dragos Crashoverride 2018) During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) installed a VBA script called `vba_macro.exe`. This macro dropped `FONTCACHE.DAT`, the primary [BlackEnergy](https://attack.mitre.org/software/S0089) implant; `rundll32.exe`, for executing the malware; `NTUSER.log`, an empty file; and desktop.ini, the default file used to determine folder displays on Windows machines. (Citation: Booz Allen Hamilton)\nDuring the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) created VBScripts to run on an SSH server.(Citation: Dragos Crashoverride 2018)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1586", "showSubtechniques": true}, {"techniqueID": "T1586.001", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) creates credential capture webpages to compromise existing, legitimate social media accounts.(Citation: Slowik Sandworm 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1554", "comment": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used a trojanized version of Windows Notepad to add a layer of persistence for [Industroyer](https://attack.mitre.org/software/S0604).(Citation: ESET Industroyer)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1584", "showSubtechniques": true}, {"techniqueID": "T1584.004", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) compromised legitimate Linux servers running the EXIM mail transfer agent for use in subsequent campaigns.(Citation: NSA Sandworm 2020)(Citation: Leonard TAG 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1584.005", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used a large-scale botnet to target Small Office/Home Office (SOHO) network devices.(Citation: NCSC Cyclops Blink February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1136", "comment": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) added a login to a SQL Server with `sp_addlinkedsrvlogin`.(Citation: Dragos Crashoverride 2018)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1136.002", "comment": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) created privileged domain accounts to be used for further exploitation and lateral movement. (Citation: Booz Allen Hamilton)During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) created two new accounts, \u201cadmin\u201d and \u201c\u0441\u0438\u0441\u0442\u0435\u043c\u0430\u201d (System). The accounts were then assigned to a domain matching local operation and were delegated new privileges.(Citation: Dragos Crashoverride 2018)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.002", "comment": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) configured Systemd to maintain persistence of GOGETTER, specifying the `WantedBy=multi-user.target` configuration to run GOGETTER when the system begins accepting user logins.(Citation: Mandiant-Sandworm-Ukraine-2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used an arbitrary system service to load at system boot for persistence for [Industroyer](https://attack.mitre.org/software/S0604). They also replaced the ImagePath registry value of a Windows service with a new backdoor binary. (Citation: Dragos Crashoverride 2017)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034)'s CredRaptor tool can collect saved passwords from various internet browsers.(Citation: ESET Telebots Dec 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1485", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used [CaddyWiper](https://attack.mitre.org/software/S0693), [SDelete](https://attack.mitre.org/software/S0195), and the [BlackEnergy](https://attack.mitre.org/software/S0089) KillDisk component to overwrite files on victim systems. (Citation: US-CERT Ukraine Feb 2016)(Citation: ESET Telebots June 2017)(Citation: Mandiant-Sandworm-Ukraine-2022) Additionally, [Sandworm Team](https://attack.mitre.org/groups/G0034) has used the JUNKMAIL tool to overwrite files with null bytes.(Citation: mandiant_apt44_unearthing_sandworm)During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) deployed [CaddyWiper](https://attack.mitre.org/software/S0693) on the victim\u2019s IT environment systems to wipe files related to the OT capabilities, along with mapped drives, and physical drive partitions.(Citation: Mandiant-Sandworm-Ukraine-2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034)'s BCS-server tool uses base64 encoding and HTML tags for the communication traffic between the C2 server.(Citation: ESET Telebots Dec 2016)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used [Prestige](https://attack.mitre.org/software/S1058) ransomware to encrypt data at targeted organizations in transportation and related logistics industries in Ukraine and Poland.(Citation: Microsoft Prestige ransomware October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1213", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) exfiltrates data of interest from enterprise databases using Adminer.(Citation: Leonard TAG 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1005", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has exfiltrated internal documents, files, and other data from compromised hosts.(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1491", "showSubtechniques": true}, {"techniqueID": "T1491.002", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) defaced approximately 15,000 websites belonging to Georgian government, non-government, and private sector organizations in 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034)'s VBS backdoor can decode Base64-encoded data and save it to the %TEMP% folder. The group also decrypted received information using the Triple DES algorithm and decompresses it using GZip.(Citation: ESET Telebots Dec 2016)(Citation: ESET Telebots July 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1587", "showSubtechniques": true}, {"techniqueID": "T1587.001", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has developed malware for its operations, including malicious mobile applications and destructive malware such as [NotPetya](https://attack.mitre.org/software/S0368) and [Olympic Destroyer](https://attack.mitre.org/software/S0365).(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1561", "showSubtechniques": true}, {"techniqueID": "T1561.002", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used the [BlackEnergy](https://attack.mitre.org/software/S0089) KillDisk component to corrupt the infected system's master boot record.(Citation: US-CERT Ukraine Feb 2016)(Citation: ESET Telebots June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1484", "showSubtechniques": true}, {"techniqueID": "T1484.001", "comment": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) leveraged Group Policy Objects (GPOs) to deploy and execute malware.(Citation: Mandiant-Sandworm-Ukraine-2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1499", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) temporarily disrupted service to Georgian government, non-government, and private sector websites after compromising a Georgian web hosting provider in 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1585", "showSubtechniques": true}, {"techniqueID": "T1585.001", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has established social media accounts to disseminate victim internal-only documents and other sensitive data.(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1585.002", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has created email accounts that mimic legitimate organizations for its spearphishing operations.(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has sent system information to its C2 server using HTTP.(Citation: ESET Telebots Dec 2016)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1190", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) exploits public-facing applications for initial access and to acquire infrastructure, such as exploitation of the EXIM mail transfer agent in Linux systems.(Citation: NSA Sandworm 2020)(Citation: Leonard TAG 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1203", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has exploited vulnerabilities in Microsoft PowerPoint via OLE objects (CVE-2014-4114) and Microsoft Word via crafted TIFF images (CVE-2013-3906).(Citation: iSight Sandworm Oct 2014)(Citation: TrendMicro Sandworm October 2014)(Citation: McAfee Sandworm November 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1133", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used Dropbear SSH with a hardcoded backdoor password to maintain persistence within the target network. [Sandworm Team](https://attack.mitre.org/groups/G0034) has also used VPN tunnels established in legitimate software company infrastructure to gain access to internal networks of that software company's users.(Citation: ESET BlackEnergy Jan 2016)(Citation: ESET Telebots June 2017)(Citation: ANSSI Sandworm January 2021)(Citation: mandiant_apt44_unearthing_sandworm)During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) installed a modified Dropbear SSH client as the backdoor to target systems. (Citation: Booz Allen Hamilton)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has enumerated files on a compromised host.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Dragos Crashoverride 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1592", "showSubtechniques": true}, {"techniqueID": "T1592.002", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has researched software code to enable supply-chain operations, most notably for the 2017 [NotPetya](https://attack.mitre.org/software/S0368) attack. [Sandworm Team](https://attack.mitre.org/groups/G0034) also collected a list of computers using specific software as part of its targeting efforts.(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1589", "showSubtechniques": true}, {"techniqueID": "T1589.002", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has obtained valid emails addresses while conducting research against target organizations that were subsequently used in spearphishing campaigns.(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1589.003", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034)'s research of potential victim organizations included the identification and collection of employee information.(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1590", "showSubtechniques": true}, {"techniqueID": "T1590.001", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) conducted technical reconnaissance of the Parliament of Georgia's official internet domain prior to its 2019 attack.(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1591", "showSubtechniques": true}, {"techniqueID": "T1591.002", "comment": "In preparation for its attack against the 2018 Winter Olympics, [Sandworm Team](https://attack.mitre.org/groups/G0034) conducted online research of partner organizations listed on an official PyeongChang Olympics partnership site.(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) modified in-registry internet settings to lower internet security. (Citation: Booz Allen Hamilton)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1562.002", "comment": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) disabled event logging on compromised systems.(Citation: Dragos Crashoverride 2018)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used backdoors that can delete files used in an attack from an infected system.(Citation: ESET Telebots Dec 2016)(Citation: ESET Telebots July 2017)(Citation: Mandiant-Sandworm-Ukraine-2022) During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), vba_macro.exe deletes itself after `FONTCACHE.DAT`, `rundll32.exe`, and the associated .lnk file is delivered. (Citation: Booz Allen Hamilton)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data.(Citation: ESET Telebots Dec 2016)(Citation: US District Court Indictment GRU Unit 74455 October 2020)During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data. (Citation: Booz Allen Hamilton)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1490", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) uses [Prestige](https://attack.mitre.org/software/S1058) to delete the backup catalog from the target system using: `C:\\Windows\\System32\\wbadmin.exe delete catalog -quiet` and to delete volume shadow copies using: `C:\\Windows\\System32\\vssadmin.exe delete shadows /all /quiet`. (Citation: Microsoft Prestige ransomware October 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used a keylogger to capture keystrokes by using the SetWindowsHookEx function.(Citation: ESET Telebots Dec 2016)\tDuring the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) gathered account credentials via a [BlackEnergy](https://attack.mitre.org/software/S0089) keylogger plugin. (Citation: Booz Allen Hamilton)(Citation: Ukraine15 - EISAC - 201603)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1570", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used `move` to transfer files to a network share and has copied payloads--such as [Prestige](https://attack.mitre.org/software/S1058) ransomware--to an Active Directory Domain Controller and distributed via the Default Domain Group Policy Object.(Citation: Dragos Crashoverride 2018)(Citation: Microsoft Prestige ransomware October 2022) Additionally, [Sandworm Team](https://attack.mitre.org/groups/G0034) has transferred an ISO file into the OT network to gain initial access.(Citation: Mandiant-Sandworm-Ukraine-2022)During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) moved their tools laterally within the corporate network and between the ICS and corporate network. (Citation: Booz Allen Hamilton)\nDuring the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used `move` to transfer files to a network share.(Citation: Dragos Crashoverride 2018)\nDuring the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) used a Group Policy Object (GPO) to copy [CaddyWiper](https://attack.mitre.org/software/S0693)'s executable `msserver.exe` from a staging server to a local hard drive before deployment.(Citation: Mandiant-Sandworm-Ukraine-2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1036", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) masqueraded malicious installers as Windows update packages to evade defense and entice users to execute binaries.(Citation: Leonard TAG 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) leveraged Systemd service units to masquerade GOGETTER malware as legitimate or seemingly legitimate services.(Citation: Mandiant-Sandworm-Ukraine-2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has avoided detection by naming a malicious binary explorer.exe.(Citation: ESET Telebots Dec 2016)(Citation: US District Court Indictment GRU Unit 74455 October 2020)During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.(Citation: Dragos Crashoverride 2017)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1036.008", "comment": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) masqueraded executables as `.txt` files.(Citation: Dragos Crashoverride 2018)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1036.010", "comment": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) created two new accounts, \u201cadmin\u201d and \u201c\u0441\u0438\u0441\u0442\u0435\u043c\u0430\u201d (System).(Citation: Dragos Crashoverride 2018)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) modified in-registry Internet settings to lower internet security before launching `rundll32.exe`, which in-turn launches the malware and communicates with C2 servers over the Internet. (Citation: Booz Allen Hamilton).", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) uses [Prestige](https://attack.mitre.org/software/S1058) to disable and restore file system redirection by using the following functions:  `Wow64DisableWow64FsRedirection()` and `Wow64RevertWow64FsRedirection()`.(Citation: Microsoft Prestige ransomware October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1040", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used intercepter-NG to sniff passwords in network traffic.(Citation: ESET Telebots Dec 2016)\tDuring the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) used [BlackEnergy](https://attack.mitre.org/software/S0089)\u2019s network sniffer module to discover user credentials being sent over the network between the local LAN and the power grid\u2019s industrial control systems. (Citation: Charles McLellan March 2016)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) proxied C2 communications within a TLS-based tunnel.(Citation: Mandiant-Sandworm-Ukraine-2022)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used port 6789 to accept connections on the group's SSH server.(Citation: ESET BlackEnergy Jan 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used Base64 encoding within malware variants.(Citation: iSight Sandworm Oct 2014)During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used heavily obfuscated code with [Industroyer](https://attack.mitre.org/software/S0604) in its Windows Notepad backdoor.(Citation: ESET Industroyer)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used UPX to pack a copy of [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: Dragos Crashoverride 2018)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used ROT13 encoding, AES encryption and compression with the zlib library for their Python-based backdoor.(Citation: ESET Telebots Dec 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has acquired open-source tools for their operations, including [Invoke-PSImage](https://attack.mitre.org/software/S0231), which was used to establish an encrypted channel from a compromised host to [Sandworm Team](https://attack.mitre.org/groups/G0034)'s C2 server in preparation for the 2018 Winter Olympics attack, as well as [Impacket](https://attack.mitre.org/software/S0357) and RemoteExec, which were used in their 2022 [Prestige](https://attack.mitre.org/software/S1058) operations.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Microsoft Prestige ransomware October 2022) Additionally, [Sandworm Team](https://attack.mitre.org/groups/G0034) has used [Empire](https://attack.mitre.org/software/S0363), [Cobalt Strike](https://attack.mitre.org/software/S0154) and [PoshC2](https://attack.mitre.org/software/S0378).(Citation: mandiant_apt44_unearthing_sandworm)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588.006", "comment": "In 2017, [Sandworm Team](https://attack.mitre.org/groups/G0034) conducted technical research related to vulnerabilities associated with websites used by the Korean Sport and Olympic Committee, a Korean power company, and a Korean airport.(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used its plainpwd tool, a modified version of [Mimikatz](https://attack.mitre.org/software/S0002), and comsvcs.dll to dump Windows credentials from system memory.(Citation: ESET Telebots Dec 2016)(Citation: ESET Telebots June 2017)(Citation: Microsoft Prestige ransomware October 2022)\tDuring the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used [Mimikatz](https://attack.mitre.org/software/S0002) to capture and use legitimate credentials.(Citation: Dragos Crashoverride 2018)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1003.003", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used `ntdsutil.exe` to back up the Active Directory database, likely for credential access.(Citation: Microsoft Prestige ransomware October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has delivered malicious Microsoft Office and ZIP file attachments via spearphishing emails.(Citation: iSight Sandworm Oct 2014)(Citation: US-CERT Ukraine Feb 2016)(Citation: ESET Telebots Dec 2016)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Google_WinRAR_vuln_2023)(Citation: mandiant_apt44_unearthing_sandworm)During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) obtained their initial foothold into many IT systems using Microsoft Office attachments delivered through phishing emails. (Citation: Ukraine15 - EISAC - 201603)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has crafted phishing emails containing malicious hyperlinks.(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1598", "showSubtechniques": true}, {"techniqueID": "T1598.003", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has crafted spearphishing emails with hyperlinks designed to trick unwitting recipients into revealing their account credentials.(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "comment": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) loaded [BlackEnergy](https://attack.mitre.org/software/S0089) into svchost.exe, which then launched iexplore.exe for their C2. (Citation: Booz Allen Hamilton)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1572", "comment": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) deployed the GOGETTER tunneler software to establish a \u201cYamux\u201d TLS-based C2 channel with an external server(s).(Citation: Mandiant-Sandworm-Ukraine-2022)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1090", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034)'s BCS-server tool can create an internal proxy server to redirect traffic from the adversary-controlled C2 to internal servers which may not be connected to the internet, but are interconnected locally.(Citation: ESET Telebots Dec 2016)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1219", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used remote administration tools or remote industrial control system client software for execution and to maliciously release electricity breakers.(Citation: US-CERT Ukraine Feb 2016)(Citation: Microsoft Prestige ransomware October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has copied payloads to the `ADMIN$` share of remote systems and run net use to connect to network shares.(Citation: Dragos Crashoverride 2018)(Citation: Microsoft Prestige ransomware October 2022)\nDuring the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) utilized `net use` to connect to network shares.(Citation: Dragos Crashoverride 2018)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1018", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used a tool to query Active Directory using LDAP, discovering information about computers listed in AD.(Citation: ESET Telebots Dec 2016)(Citation: Dragos Crashoverride 2018) During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) remotely discovered systems over LAN connections. OT systems were visible from the IT network   as well, giving adversaries the ability to discover operational assets. (Citation: Charles McLellan March 2016)\nDuring the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) checked for connectivity to resources within the network and used LDAP to query Active Directory, discovering information about computers listed in AD.(Citation: Dragos Crashoverride 2018)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) leveraged SHARPIVORY, a .NET dropper that writes embedded payload to disk and uses scheduled tasks to persist on victim machines.(Citation: mandiant_apt44_unearthing_sandworm)During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute [CaddyWiper](https://attack.mitre.org/software/S0693) at a predetermined time.(Citation: Mandiant-Sandworm-Ukraine-2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1593", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) researched Ukraine's unique legal entity identifier (called an \"EDRPOU\" number), including running queries on the EDRPOU website, in preparation for the [NotPetya](https://attack.mitre.org/software/S0368) attack. [Sandworm Team](https://attack.mitre.org/groups/G0034) has also researched third-party websites to help it craft credible spearphishing emails.(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1594", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has conducted research against potential victim websites as part of its operational planning.(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1505", "showSubtechniques": true}, {"techniqueID": "T1505.001", "comment": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used various MS-SQL stored procedures.(Citation: Dragos Crashoverride 2018)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1505.003", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used webshells including [P.A.S. Webshell](https://attack.mitre.org/software/S0598) to maintain access to victim networks.(Citation: ANSSI Sandworm January 2021)During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) deployed the Neo-REGEORG\u202fwebshell on an internet-facing server.(Citation: Mandiant-Sandworm-Ukraine-2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1489", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) attempts to stop the MSSQL Windows service to ensure successful encryption of locked files.(Citation: Microsoft Prestige ransomware October 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1072", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used the commercially available tool RemoteExec for agentless remote code execution.(Citation: Microsoft Prestige ransomware October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1608", "showSubtechniques": true}, {"techniqueID": "T1608.001", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) staged compromised versions of legitimate software installers in forums to enable initial access to executing user.(Citation: mandiant_apt44_unearthing_sandworm)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1539", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) used information stealer malware to collect browser session cookies.(Citation: Leonard TAG 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1195", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) staged compromised versions of legitimate software installers on forums to achieve initial, untargetetd access in victim environments.(Citation: mandiant_apt44_unearthing_sandworm) ", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1195.002", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has distributed [NotPetya](https://attack.mitre.org/software/S0368) by compromising the legitimate Ukrainian accounting software M.E.Doc and replacing a legitimate software update with a malicious one.(Citation: Secureworks NotPetya June 2017)(Citation: ESET Telebots June 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) used a backdoor which could execute a supplied DLL using rundll32.exe.(Citation: ESET Telebots July 2017)\tDuring the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) used a backdoor which could execute a supplied DLL using `rundll32.exe`. (Citation: Booz Allen Hamilton)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) used a backdoor to enumerate information about the infected system's operating system.(Citation: ESET Telebots July 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) had gathered user, IP address, and server data related to RDP sessions on a compromised host. It has also accessed network diagram files useful for understanding how a host's network was configured.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Dragos Crashoverride 2018) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has collected the username from a compromised host.(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1199", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used dedicated network connections from one victim organization to gain unauthorized access to a separate organization.(Citation: US District Court Indictment GRU Unit 74455 October 2020) Additionally, [Sandworm Team](https://attack.mitre.org/groups/G0034) has accessed Internet service providers and telecommunication entities that provide mobile connectivity.(Citation: mandiant_apt44_unearthing_sandworm) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has tricked unwitting recipients into clicking on spearphishing attachments and enabling malicious macros embedded within files.(Citation: ESET Telebots Dec 2016)(Citation: US District Court Indictment GRU Unit 74455 October 2020)During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them. (Citation: Ukraine15 - EISAC - 201603)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1078", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) have used previously acquired legitimate credentials prior to attacks.(Citation: US-CERT Ukraine Feb 2016)During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) used valid accounts on the corporate network to escalate privileges, move laterally, and establish persistence within the corporate network. (Citation: Ukraine15 - EISAC - 201603)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1078.002", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used stolen credentials to access administrative accounts within the domain.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Microsoft Prestige ransomware October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.002", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used the Telegram Bot API from Telegram Messenger to send and receive commands to its Python backdoor. [Sandworm Team](https://attack.mitre.org/groups/G0034) also used legitimate M.E.Doc software update check requests for sending and receiving commands and hosted malicious payloads on putdrive.com.(Citation: ESET Telebots Dec 2016)(Citation: ESET Telebots June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used [Impacket](https://attack.mitre.org/software/S0357)\u2019s WMIexec module for remote code execution and VBScript to run WMI queries.(Citation: Dragos Crashoverride 2018)(Citation: Microsoft Prestige ransomware October 2022)During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), WMI in scripts were used for remote execution and system surveys. (Citation: Dragos Crashoverride 2018)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Sandworm Team", "color": "#66b1ff"}, {"label": "used by a campaign attributed to Sandworm Team", "color": "#ff6666"}, {"label": "used by Sandworm Team and used by a campaign attributed to Sandworm Team", "color": "#ff66f4"}]}